[Tails-dev] secure download tool | was download over http by…

Delete this message

Reply to this message
Author: adrelanos
Date:  
To: liberationtech
CC: tails-dev
Old-Topics: [Tails-dev] download over http by default?
Subject: [Tails-dev] secure download tool | was download over http by default?
Speaking as maintainer of Whonix here.

Jacob Appelbaum:
> When upgrading a tails machine today, I noticed that the default
> download link is HTTP.


This is actually a problem for many (security related) application
downloads, not only for Tails. For example, also the gpg4win homepage
has no https download.

And how is a Windows user supposed to download gpg4win? Over an
unauthenticated channel? How many join a real life gpg community, get
the signatures for gpg itself and verify it? 1 to 1000?

> We've done some statistics on the number of users
> that actually bother to download signatures - it basically borders on
> none for some software. Does Tails find that for every ISO, users
> download the signature? Ten to one? Perhaps one out of ever thousand
> downloads?


Switching topic to Whonix... Actually its more like twenty to one
(little worse).

Whonix-Gateway.ova downloads [1] per week: 668
Whonix-Gateway.ova.sig downloads [2] per week: 30

And some may think: verification is for paranoids only. It's not. It's a
real issue already, not theoretical. And Whonix already got attention
from the GFW. [3]

There are already state sponsored malware attacks. Infecting an
unauthenticated download on the fly isn't rocket science. Something
which could happen very soon and no one should be surprised. Yet, I
don't see any awareness.

> I really strongly encourage that the default download link should be
> secure -


Thats a fine goal.

> if there was a tool to download updates and it automatically
> checked the signatures, I'd think it was perhaps OK to use HTTP.


Thats the point. Is there such a tool already?

I don't think we need a Tails download tool, a gpg4win downloader, a
Whonix download tool, a TBB download tool...

> Without such a tool, I think this is merely a
> recipe for disaster.


Agreed.

> We carry a secure mirror here:
>
> https://archive.torproject.org/amnesia.boum.org/tails/stable/
>
> If you guys can't handle HTTPS traffic, I really encourage you to link
> to our HTTPS site as the default. If nothing else, I believe that some
> browsers also pin our certs. That at least changes the game to something
> a bit harder.


Thats a nice offer. Unfortunately, not everyone has someone to foot the
bill and I think many projects are affected.

So I'd like to brainstorm about this secure download tool.

References:

[1] https://sourceforge.net/projects/whonix/files/whonix-0.5.6/
[2] https://sourceforge.net/projects/whonix/files/whonix-0.5.6-sig/
[3] http://whonix.sourceforge.net/screenshots/greatfire.html